• Laurent de la Vaissière, Partner |
2 min read

On 25 August 2020, the CSSF published Circular 20/750 implementing the EBA Guidelines on ICT and security risk management in Luxembourg. These guidelines establish a consistent approach to the mitigation and management of these risks in all EU countries.

Are you ready for the Circular? Download our self-assessment to assess your preparedness and define a response plan.


The EBA Guidelines provide clarity on the management and mitigation of ICT and security risk management, stating that:

  • ICT risks must be part of financial institutions’ general governance and risk management procedures, crisis management protocols, and business continuity planning. This will reduce the risk of ICT failures and make it easier for institutions’ to recover and respond when such failures do occur.
  • Of particular importance are the ICT and security risk management framework and information security framework. These documents should be approved periodically at the highest level by the management body.

The guidelines consist of 97 requirements across the following areas:

  • Governance and strategy
  • ICT and security risk management framework
  • Information security
  • ICT operations management
  • ICT project and change management
  • Business continuity management
  • Payment service user relationship management

Scope of application

As per the EBA guidelines, banks, investment firms, and payment and electronic money institutions are all in scope of Circular 20/750. In Luxembourg, the CSSF has extended the scope to include both specialized and support PSFs.

Updates to existing circulars

Circular 12/552 has been updated to cross-reference the new guidelines with significant updates to points 85 and 86 with regards to the IT and Information Security Officers.

Circular CSSF 19/713 has been repealed. The guidelines implemented by the CSSF 20/750 circular supersede those in the CSSF 19/713 circular on payment services.

Reporting obligations

Banks providing payment services are required to send the CSSF an up-to-date and exhaustive risk assessment on a yearly basis. This risk assessment should be signed by authorized management and submitted no later than 30 April.

Payment and electronic money institutions need to include the same exhaustive risk assessment in their management report on internal controls. A new section has been added for this purpose. Submission deadlines remain unchanged.


Circular 20/750 applies with immediate effect.

Self-assessment questionnaire

The attached questionnaire addresses the key issues likely to impact your business when it comes to Circular 20/750 compliance.

It contains a series of questions to help you evaluate current governance and processes and to identify areas of focus and the practical steps to strengthen your ICT and security risk management practices.

Need a hand?

KPMG can help you adapt your ICT and security risk management framework to include ICT and security risk assessments and control monitoring programs. We can also support liaising with the regulators. Please visit our website or contact me to find out more.